2009/9/14 decibel <deci...@decibel.org>: > On Sep 14, 2009, at 12:13 AM, Pavel Stehule wrote: >> >> 2009/9/13 decibel <deci...@decibel.org>: >>> >>> On Sep 12, 2009, at 5:54 PM, Andrew Dunstan wrote: >>>> >>>> decibel wrote: >>>>> >>>>> Speaking of concatenation... >>>>> >>>>> Something I find sorely missing in plpgsql is the ability to put >>>>> variables inside of a string, ie: >>>>> >>>>> DECLARE >>>>> v_table text := ... >>>>> v_sql text; >>>>> BEGIN >>>>> v_sql := "SELECT * FROM $v_table"; >>>>> >>>>> Of course, I'm assuming that if it was easy to do that it would be done >>>>> already... but I thought I'd just throw it out there. >>>>> >>>> >>>> Then use a language that supports variable interpolation in strings, >>>> like >>>> plperl, plpythonu, plruby .... instead of plpgsql. >>> >>> >>> Which makes executing SQL much, much harder. >>> >>> At least if we get sprintf dealing with strings might become a bit >>> easier... >> >> This feature is nice - but very dangerous - it the most easy way how >> do vulnerable (on SQL injection) application! > > > How is it any worse than what people can already do? Anyone who isn't aware > of the dangers of SQL injection has already screwed themselves. You're > basically arguing that they would put a variable inside of quotes, but they > would never use ||.
simply - people use functions quote_literal or quote_ident. regards Pavel Stehule > -- > Decibel!, aka Jim C. Nasby, Database Architect deci...@decibel.org > Give your computer some brain candy! www.distributed.net Team #1828 > > > -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
